<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=455570291913660&amp;amp;ev=PageView&amp;amp;noscript=1"> Privacy Policy | ACRE Pharmacy

Order Before 5pm For Next Day Delivery (Excludes NI)

Cart: empty

Privacy Policy

Version 2.0 — Last updated 13 May 2026

Acre Aesthetics Ltd trading as ACRE Pharmacy



1. ABOUT THIS POLICY

This Privacy Policy explains how Acre Aesthetics Ltd (company number 11557880), trading as ACRE Pharmacy (pharmacy registration 9011661), collects, uses, shares and protects personal data. In this policy, "we", "us" and "our" mean Acre Aesthetics Ltd; "you" and "your" mean the individual whose personal data we process.


ACRE Pharmacy is a business-to-business (B2B) pharmacy and wholesale supplier serving aesthetic clinics, healthcare practitioners and other professional customers. Our website and services are not intended for, and must not be used by, members of the general public seeking treatment.


We are the data controller for the personal data we process about our trade customers, website visitors and business contacts. Where we dispense private prescriptions, we act as the dispensing pharmacy and process the patient's personal data in accordance with applicable pharmacy law, General Pharmaceutical Council (GPhC) standards and the UK GDPR.


This policy is written to comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations 2003 (PECR).



2. PERSONAL DATA WE COLLECT


We collect and process the following categories of personal data.


  • Identification and contact details: name, business name, job title, business address, delivery address, email, telephone number.
  • Professional information: professional registration body and number (e.g. GMC, GDC, NMC, GPhC), prescriber status, qualifications, training certificates, insurance details, and affiliations.
  • Account and verification data: log-in credentials, identification documents and other information we use to verify your professional status, and records of due-diligence checks.
  • Transactional and financial data: orders, products purchased, prices, invoices, payment method details (processed by our payment service providers), credit account information and trading history.
  • Communications: correspondence with us by email, telephone, post, web form or social media; records of complaints, queries and customer service calls.
  • Technical and usage data: IP address, device and browser information, pages viewed, referring URLs, and similar information collected by cookies and analytics tools (see our Cookie section below).
  • Marketing preferences: your choices about receiving marketing communications from us, and your engagement with marketing materials we send.
  • Patient data (where you submit prescriptions to us): the patient's name, address, date of birth, prescriber details, prescribed item(s) and other information necessary to dispense and deliver a private prescription. This is special category (health) data and is handled under section 5 below.



3. HOW WE COLLECT PERSONAL DATA


We collect personal data directly from you when you register a trade account, place an order, submit a prescription through our eRx service, enter into a credit account, request information, attend our training events, contact our customer services team, or otherwise interact with us.


We also collect personal data from: your colleagues or employer where they place orders on your behalf; prescribers or buying groups who submit prescriptions to us; publicly available sources such as the GPhC, GMC, NMC, GDC and Companies House registers, where we verify professional status; credit reference and fraud-prevention agencies where you apply for a credit account; and our manufacturer and distribution partners where you have engaged with a joint programme.



4. LAWFUL BASES FOR PROCESSING


Under UK GDPR Article 6, we rely on the following lawful bases. We will tell you which basis applies to a particular processing activity if you ask.


  • Performance of a contract (Article 6(1)(b)) — to process your trade account, accept and fulfil orders, dispense and deliver prescriptions, handle returns and refunds, manage credit accounts, and deal with related queries.
  • Legal obligation (Article 6(1)(c)) — to meet our obligations as a registered pharmacy and as a UK business, including record-keeping for medicines dispensing, pharmacovigilance and yellow-card reporting, product recalls, tax and accounting, anti-money-laundering checks, and responding to lawful requests from authorities.
  • Legitimate interests (Article 6(1)(f)) — for running and developing our business, including verifying customer eligibility, securing our systems, preventing fraud, sending business-to-business marketing about our products and services, sharing relevant information with our distribution and manufacturer partners (see section 6), undertaking market analysis, and managing our group operations.
  • Consent (Article 6(1)(a)) — where required, for example for certain electronic marketing, non-essential cookies, or where we ask for your explicit consent to share patient data with a third party for a specific purpose. You can withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.


Where we rely on legitimate interests, we have carried out a balancing assessment and consider that our interests are not overridden by your data protection rights and freedoms. You have the right to object to processing based on legitimate interests — see section 10.



5. SPECIAL CATEGORY (HEALTH) DATA — PATIENT PRESCRIPTION INFORMATION


When a prescriber submits a private prescription to us for dispensing, we process the patient's health data. We treat this data with additional care.


Our lawful basis for processing patient health data is Article 9(2)(h) UK GDPR (provision of health care and treatment, and the management of health care systems and services) read with paragraph 2 of Schedule 1 to the Data Protection Act 2018. Processing is carried out under the responsibility of our Superintendent Pharmacist and other professionals who are subject to a duty of confidentiality.


We use patient data only for the purposes of dispensing, delivering and accounting for the prescription, complying with our legal and regulatory obligations (including pharmacovigilance, recalls and reporting to regulators), and handling any related queries or complaints.


We do not share identifiable patient data with manufacturers, distributors or any other third parties for marketing, analytics or commercial purposes. Patient data is only disclosed to: the prescriber and/or the customer account that submitted the prescription; delivery couriers strictly for delivery purposes; relevant regulators or public authorities where required by law; and our processors who provide services such as eRx platforms, IT hosting and secure storage under a written contract.



6. WHO WE SHARE PERSONAL DATA WITH


We share personal data with the following categories of recipient. We only share what is necessary for the purpose, and we put appropriate contractual and security safeguards in place.


6.1 GROUP COMPANIES


Our group and sister companies, including CST Holdings, CST Pharma and other entities within the group, for shared business functions such as finance, IT, compliance, customer support and group reporting.


6.2 DISTRIBUTION AND MANUFACTURER PARTNERS


We share trade customer personal data (such as business contact details, professional registration details, account number and ordering information) with our distribution partners, manufacturer partners and other commercial partners for the following purposes:


  • Order fulfilment, dispatch, tracking, returns and replacement processing.
  • Product recalls, batch traceability, safety notices and pharmacovigilance, including yellow-card reporting and adverse-event handling.
  • Investigating and resolving complaints, warranty and quality issues.
  • Administering joint loyalty, training or promotional programmes you have signed up to or qualified for (for example our Galderma and Merz Aesthetics programmes), including verifying eligibility and applying benefits.
  • Market analysis, demand forecasting, category management and reporting, including providing manufacturer partners with sales data about their products. Wherever practicable this is shared in aggregated or anonymised form; where identifiable trade customer data is shared for market-analysis purposes, we rely on our legitimate interests (and those of our partners) and you have the right to object at any time using the contact details in section 16.


We do not share patient health data with distribution or manufacturer partners for marketing, analytics or commercial purposes (see section 5).


6.3 SERVICE PROVIDERS (PROCESSORS)


We engage trusted third-party service providers who process personal data on our behalf under a written contract that requires them to keep it secure and use it only for our instructions. These include: IT, hosting, cloud-storage and software providers (including our website platform); eRx and pharmacy-management system providers; payment processors and credit-reference agencies; couriers and delivery companies (such as DPD and Royal Mail); printing, mailing and customer-communications providers; analytics, marketing-automation and advertising-technology providers; professional advisers including accountants, auditors and lawyers; and document, records-management and secure-destruction providers.


6.4 REGULATORS, AUTHORITIES AND LAW ENFORCEMENT


We may share personal data with the General Pharmaceutical Council, the Medicines and Healthcare products Regulatory Agency, the Care Quality Commission, HM Revenue & Customs, the Information Commissioner's Office, law-enforcement agencies, courts and other governmental or regulatory bodies where we are required or permitted to do so by law, or where it is necessary to establish, exercise or defend legal claims.


6.5 BUSINESS TRANSACTIONS


If we sell, restructure or transfer all or part of our business, we may share personal data with the buyer or counterparty and their professional advisers, subject to appropriate confidentiality and data-protection safeguards.


6.6 OTHER THIRD PARTIES WITH YOUR CONSENT


Where required by law or where we consider it appropriate, we will only share personal data with other third parties (including for any patient-related purpose beyond those described in section 5) with your specific, informed consent.



7. MARKETING


We send our trade customers business-to-business marketing about our products, services, training and promotions by email, SMS, post, telephone and through our website and apps. We do this on the basis of our legitimate interest in promoting our business to professional customers and, where required by PECR, on the basis of your consent or the "soft opt-in".


Every marketing email we send includes an unsubscribe link. You can also opt out of marketing at any time by emailing info@acrepharmacy.co.uk or by updating your preferences in your account. If you opt out, we will still send you service messages relating to your account, orders or prescriptions.


Where we use cookies and similar technologies for online advertising, we do so on the basis of your consent collected through our cookie banner. You can change your cookie preferences at any time.



8. INTERNATIONAL TRANSFERS


We store and process personal data primarily within the United Kingdom and the European Economic Area (EEA). Some of our service providers, manufacturer partners and group companies are located outside the UK and EEA.


Where we transfer personal data outside the UK we make sure an appropriate safeguard is in place, which will be one of: a UK adequacy decision; the UK International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses with the UK Addendum; or another lawful transfer mechanism. You can request details of the safeguards we use by contacting us.



9. HOW LONG WE KEEP PERSONAL DATA


We keep personal data only for as long as we need it for the purposes set out in this policy and to meet our legal, regulatory, accounting and reporting obligations.


  • Trade account and customer records: while your account is active, and for up to 7 years after closure for tax, accounting and limitation-period purposes.
  • Prescription and dispensing records: for the periods required by pharmacy law and GPhC standards (generally a minimum of 2 years for private prescriptions, longer where required for controlled drugs or specific products).
  • Marketing records: until you opt out or, if earlier, for as long as you remain an active customer plus a reasonable period after.
  • Website analytics and cookie data: as set out in our Cookie section.
  • CCTV and security records (where applicable): for short periods unless required for an investigation.


Our full Retention Schedule is available on request.



10. YOUR RIGHTS


Under the UK GDPR you have the following rights, which you can exercise free of charge in most cases:


  • Right of access — to obtain confirmation of whether we process your personal data and a copy of that data.
  • Right to rectification — to have inaccurate or incomplete personal data corrected.
  • Right to erasure (the "right to be forgotten") — to have your personal data deleted in certain circumstances.
  • Right to restriction — to ask us to limit how we use your personal data in certain circumstances.
  • Right to data portability — to receive certain personal data in a structured, commonly used and machine-readable format.
  • Right to object — to processing based on legitimate interests, including profiling, and to direct marketing at any time.
  • Rights related to automated decision-making and profiling — we do not currently make decisions about you based solely on automated processing that produce legal or similarly significant effects.
  • Right to withdraw consent — where we rely on consent, you can withdraw it at any time.


To exercise any of these rights, please contact us using the details in section 16. We may need to verify your identity before we can act on your request. We will respond within one month (which we may extend by up to two further months for complex requests, telling you within the first month).


If you are unhappy with how we have handled your personal data, you have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk, by phone on 0303 123 1113, or in writing to Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF. We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please consider contacting us first.



11. COOKIES AND SIMILAR TECHNOLOGIES


Our website uses cookies and similar technologies to make the site work, to remember your preferences, to understand how visitors use the site (analytics), and — with your consent — to provide more relevant advertising.


When you first visit our site you will be shown a cookie banner allowing you to accept, reject or manage non-essential cookies. You can change your cookie preferences at any time using the cookie settings link on our website.


We use Google Analytics and may use other analytics, advertising and conversion-tracking partners (such as Facebook/Meta Pixel) where you have consented. These providers may set cookies through our site and may process information about your use of the site outside the UK; their processing is governed by their own privacy notices.


Disabling cookies may affect the functionality of our website.



12. SECURITY


We have appropriate technical and organisational measures in place to protect personal data, including encryption in transit and at rest where appropriate, access controls, authentication, network and endpoint protection, secure backups, vendor due-diligence, staff training, and physical security at our premises in line with Pharmacy Information Governance requirements. Access to personal data is restricted to staff, contractors and processors who need it and who are bound by confidentiality.


No system is completely secure. If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and, where required, notify affected individuals.



13. CHILDREN


Our website and services are intended exclusively for professional B2B customers and are not directed at, and must not be used by, anyone under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us so we can delete it.



14. THIRD-PARTY PRESCRIBERS, CUSTOMERS AND JOINT CONTROLLERSHIP


Where a prescriber, clinic or buying group collects personal data (including patient data) and submits it to us — for example by sending us a prescription — that party is responsible under data-protection law for the lawfulness of their collection and onward transmission to us. By submitting personal data to us, you confirm that you have a lawful basis to do so and that any necessary information has been provided to, and any necessary consents obtained from, the data subjects.


If you are unable to meet that confirmation, please do not submit personal data to us and contact us at info@acrepharmacy.co.uk immediately.



15. CHANGES TO THIS POLICY


We may update this Privacy Policy from time to time. The current version, version number and last-updated date are shown at the top. Where the changes are material we will give reasonable advance notice (for example by email, by a banner on our website, or by posting an updated version on this page in advance of the effective date).



16. CONTACT US


Data controller: Acre Aesthetics Ltd (company number 11557880), trading as ACRE Pharmacy (pharmacy registration 9011661).


Address: Unit 7B, Unit 5-7 Tintagel Way, Westgate Park Industrial Estate, Walsall WS9 8ER, United Kingdom.


Email: info@acrepharmacy.co.uk


Telephone: 01477 536015


For any data-protection enquiry, including requests to exercise your rights, please contact us using the details above and mark your message for the attention of the Data Protection lead.